Stuart Scullion: How to deal with GDPR, the IDD and the SMCR

GDPR, the Insurance Distribution Directive and the new Senior Managers regime will make 2018 a big year for regulation says Association of Medical Insurers and Intermediaries (AMII) executive chairman Stuart Scullion

The turkey is finished, the Christmas decorations have been packed away and the New Year’s festivities are over. As we enter 2018 full of optimism, it’s time to ask yourself: “Are you ready for 2018?”

By now your business plan has been written, reviewed and honed to within an inch of its life. We all want to get on with the sexy stuff – marketing, new distribution and making more sales.

But just a note of caution, 2018 is going to be a big year for regulation and legislation.

We all expected the new Insurance Distribution Directive (IDD) to be the first thing to hit us on 23 February, but it has now been delayed by seven months to 1 October.

EU countries are still required to transpose the IDD into national law by the original date. The European Commission is preparing to postpone two delegated regulations adopted under IDD and which must be subject to an accelerated legislative procedure if the October 2018 date is to be achieved.

In any event your preparation should be almost complete barring some last-minute tweaks to ensure you are compliant with the new rules.

The new Senior Managers and Certification Regime(SMCR) as the updated Approved Persons regime was next on my list, but we have 12 months to be compliant. I’m not suggesting you should ignore SMCR, however, as there are some useful things you can do now which will hold you in good stead for later.

A good first step would be to create an organisational structure chart, or review the latest version you have to check it remains accurate. Next I would re-visit the job descriptions of the directors and senior managers likely to be affected by the new regime, ensuring the role, responsibilities and accountabilities are clearly defined.

I’m yet to meet a business which has every job description in a common format and presentation style. We’ve all been guilty of ‘overwriting’ at some stage with managers amending the template to suit their purpose. Now is the time to get them all back to a consistent format and style, because I’m sure you’ve got nothing else to do…

There is also the Statement of Responsibilities. Under the duty of responsibility, senior managers are accountable for their individual contributions to collective decisions and their implementation insofar as they concern any of the firm’s activities for which they are responsible.

There is an FCA Consultation Paper – CP17/42 ­– entitled The Duty of Responsibility for insurers and FCA solo-regulated firms which remains open. It is a short, easy-to-read document. If you have a strong opinion on any element make sure you respond by 21 February.

Then we come to the Holy Grail. The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018. If you haven’t heard about GDPR where have you been for the last 18 months?

GDPR is the most far-reaching piece of European legislation to affect the UK in decades. It sets a new standard and expectation for Data Protection legislation, possibly in a lifetime.

For larger firms with Risk and Compliance teams GDPR should not come with any surprises, but that does not mean it will be free from concerns. Smaller firms, already struggling under the strain of the new regulatory and legislative burden, will find this tough. A small number have said to me they are going to wait to see what the Insurers do and piggy back on them. Don’t!

Others believe their IT teams have a magic bit of software that will sort it all out. So much to learn, and so little time!

Get it right and GDPR could just become the best marketing opportunity in a long time. It constitutes a legislative reason to make contact with your customers and prospects, making them aware of what you do and how it will benefit them.

Saying you are client-centric is just a glib statement. Demonstrating it in practice every day is what will set you apart.

The new rules will bring the processing of personal medical information within GDPR, which I hope will be a good thing. I have lost track of the occasions I have heard someone say they cannot provide claims information on a medical insurance scheme because of the Data Protection Act – which is drivel! It is the personal medical information rules that preclude the disclosure of such information.

In healthcare we seem to be slightly obsessed with receiving membership certificates and claims information as the core element of GDPR. Don’t get me wrong, they are important, but in my view our ability to prospect for new business without falling foul of the new rules will be key.

The wording of Privacy Notices, and how we approach them, will be an important consideration. One size will not fit all!

Clients want solution-driven advice based on their individual circumstances and particular needs. In many instances that means you don’t have to sell them anything – other than yourself.